The John C. Bogle Center for Financial Literacy is pleased to sponsor the 43rd episode of Bogleheads Live with Steve Ryder.
In this podcast, Steve, a cybersecurity expert, answers questions about how to stay safe online.
Jon Luskin: Bogleheads® Live is our ongoing Twitter Space series where the do-it-yourself investor community asks their questions to financial experts live on Twitter. You can ask your questions by joining us with the next Twitter Space. Get the dates and times for the next Bogleheads® Live by following the John C. Bogle Center for Financial Literacy on Twitter. That's @bogleheads. For those that can't make the live events, episodes are recorded and turned into a podcast. This is that podcast.
Thank you for joining us for the 43rd Bogleheads® Live, where the do-it-yourself investor community asks questions to experts live. My name is Jon Luskin, and I'm your host. Today's topic is cybersecurity. How to keep your money safe online. Stephen Ryder is our guest. He'll be answering your questions.
Let's start by talking about the Bogleheads®, a community of investors who believe in keeping it simple, following a small number of tried-and-true investing principles. This episode of Bogleheads® Live, as with all episodes, is brought to you by the John C. Bogle Center for Financial Literacy, a 501(c)(3) nonprofit organization dedicated to helping people make better financial decisions. Visit boglecenter.net to find valuable information and to make a tax-deductible donation. You can also jump straight to boglecenter.net/donate.
Before we get started on today's show, some announcements. Registration is now open for the 2023 Bogleheads® Conference. Our 2023 conference will be held on October 13th through the 15th in Rockville, Maryland. You can register at boglecenter.net/2023conference.
For the next Bogleheads® Live, we'll have Pete Adeney, better known as Mr. Money Mustache, as our guest. That'll be Tuesday, May 2nd at 10:00 AM Pacific, 1:00 PM Eastern.
Before we get started on today's show, a disclaimer. This is for informational and entertainment purposes only. Lastly, thanks to everyone who submitted questions ahead of time. We might not have time to answer all of them.
Let's get started on our show with Stephen Ryder. Today's topic: cybersecurity - how to keep your money safe online. Stephen, thank you for joining us today on Bogleheads® Live. Looks like we've got our first speaker request.
Vita: Hey there, thanks for taking my call. How do you safeguard yourself when you are traveling?
Stephen Ryder: First of all, when you're traveling, especially if you're traveling out of the country, try to use just one credit card. Try not to use multiple credit cards. Keep an eye on the account. Look for any activity that just looks out of pattern.
I know a lot of the credit card vendors are pretty good at alerting if something seems amuck. Credit card vendors are pretty good at that. Typically, I always suggest don't use a debit card. Because a debit card comes right out of your bank account.
So use a credit card. Use one credit card, don’t use multiple credit cards.
Jon Luskin: Stephen, this question is from username “Target2019” from the Bogleheads® Forums who writes: “What is the best tutorial about online safety and security?”
Stephen Ryder: I think here where is being careful on things that you click on, things that you post. Being cheerful on social media, posting too much information, more information than you probably want anyone to know about you. I know the world has turned into everyone wanting to know everything about everybody and people really bragging or posting about where they are, what they're doing. So, I always tend to tell people, don't post anything online that you wouldn't want anyone to know about. It can be used against you for many reasons, such as birthdates, dogs, kids' names. So those are common password opportunities for hackers who try to learn about you, try to hack into your account. They also can be used to against you to phish you or text you or reach out to you and try to gain access to you personally to say, hey, how's your daughter doing? How's your son doing? Looks like they had a birthday. Whatever it is, they try to get to know you a little bit more personally.
So be really careful about any online accounts. If you see all these free ads or free things, if it's too good to be true, it usually is.
Jon Luskin: I think about those online posts to the effect of “your rock band name is your middle name and the name of the street that you grew up in as a kid.” I'm like, hmm, that sounds sketchy, personal information they're digging for. I always tend to stay away from those things.
Stephen Ryder: I always stay away from the voting and questions like that. Because again, they're just trying to prey on gathering information on you. I did a presentation several years ago, I was speaking about just be careful what you post online. Don't post vacation photos.
Have I got a story for you. My sister was on vacation in Mexico. They were posting all these photos, this wonderful vacation they had in Mexico. When they came home, their house had been robbed because everyone knew where they were. If you want to brag about where you are, best brag after you get home.
Jon Luskin: This one is from username “Weathering” from the Bogleheads® Forums who writes: “What can be done to minimize the risks of a cybersecurity hack on an account?”
Stephen Ryder: Make sure you have multi-factor authentication before you can log in to the account.
If you're communicating with broker online, if things are going to be wired, make sure phone calls happens, some type of communications protocol that is not just simply an email. Even a secure email. My broker, for example, they take extra steps when they wire money or they'll do things like that.
Jon Luskin: And for those folks who aren't cybersecurity experts, tell us what multi-factor authentication means.
Stephen Ryder: You log in onto a website or bank account, you have a username and you have a password. And then, you might have an app on your phone, that prompts you for an additional password to log in.
So, for example, when I log into my bank account, I have a token on my phone. So, I take my username and my password, and that prompts me for another piece of password. And I have to put in this other number from my phone.
Jon Luskin: So, you'll put in the username and put in the password, and then we'll have to put in that email code or that text message that's sent to you. Is that the additional level of security that we want to have?
Stephen Ryder: Yes, absolutely. That's exactly what I'm talking
Jon Luskin: This question is from username “VictoriaF” from the Bogleheads® Forums who writes: “What protections do we have in Vanguard and Fidelity accounts if cybercriminals break into them and deplete our assets? Let's assume that we use complex passwords, don't share our passwords with others, and use two-factor authentication or multi-factor authentication - as we just talked about - by the brokerage.”
Stephen Ryder: I can't really answer specifically about the broker dealer. What I do know is oftentimes, a lot of these banking entities always say you are protected against fraud in the event that somebody gets into your account. If you have all the security protocols in place, those assets should be protected. As long as you're doing what they recommend, I've always understood them to be protected. I'm not an expert on that actual aspect of what the broker might do to protect those.
Jon Luskin: Stephen, I'm curious, what are your thoughts on having your money at two custodians? So, hey, I have some money at Vanguard and I have some money at Fidelity. That way if cybercriminals happen to break into one of those custodians, I'll still have money somewhere else. Is that unnecessarily complicated?
Stephen Ryder: I like that for multiple reasons. Obviously for a cybersecurity incident and obviously with Silicon Valley Bank having some issues - and some of the banking industry - to diversify, putting funds at different places is not a bad thing. I certainly do the same thing and diversify my risk to make sure I'm careful about putting all my eggs in one basket, so to speak.
Jon Luskin: Stephen, we got a couple questions about password managers from the Bogleheads® Forums, from username “jocdoc” and “Lastrun.” “Lastrun” asks: “I put my password information into a third-party password manager. Is that safe?”
Stephen Ryder: First of all, absolutely use them. One thing I like about a password manager - a lot of the websites I go to, I don't even know the password. A password manager will generate passwords at my request. And the nice thing about a password manager is not using the same password over and over and over again. As you continue to use the same password over and over again, once somebody gets in one of your websites or wherever your data is, they can get into multiple ones. So again, my password manager password is only used to get in my password manager. It is not used by any other thing.
One other thing I love about a password manager. When you use it and you put it in your browser and go to the website, it recognizes the website and will enter the password. If you click on a bad link, like for example somebody tries to phish you, they send you a link to “Amazon,” you click on the link, it looks like Amazon but it really isn't. The password manager won't recognize the site. Therefore, it can't put the password in because it is a fake site.
Now for me, I don't know the password to my Amazon account. So, I couldn't even enter the password because if my password manager doesn't recognize the site, I don't recognize the site. And I don't even know the password anyway. So, that's another great value to using a password manager.
Jon Luskin: We have another question from the Bogleheads® Forums: “I have read several articles from Wired and in the New York Times that states Windows Defender is all you need, and that additional antivirus software is unnecessary.”
Stephen Ryder: Windows Defender has come a long way. Microsoft has come a long way to protect the operating system, and I applaud them for doing that. From a home user aspect, yes, Windows Defender is fine.
Jon Luskin: So, Stephen, it sounds like Windows Defender is all you need. If someone was up for getting an additional or supplementary antivirus software, what would be a good one that you suggest?
Stephen Ryder: Bitdefender and Webroot are probably the top that we've been suggesting. We've used Bitdefender for years. I would say, probably Bitdefender would be my top choice for an antivirus program. Malwarebytes is another good one to download and scan your computer occasionally protect yourself. That's free for home use.
Jon Luskin: Stephen, this one is from username “Speckles” from the Bogleheads® Forums who writes: “The risks of linking accounts for transfers like a local bank account or linking a brokerage account to TurboTax to upload info. Are all those risks equal? Are there things we should be doing or watching out for when linking accounts?
Stephen Ryder: Again, making sure there's some type of additional authentication when those accounts are linked. So, I'll say the word “difficult”, “inconvenient”, some type of method to make sure the ability to just simply link these accounts with the username and password is not so easy to do.
If it's inconvenient and it's difficult to do, that's a good thing. You want it to be complex, and if you need help to do it, whether your banker, your broker, or whoever has to help you because it's a little complicated, that's okay. It's okay. It's not simple to Google and figure out how to do it. You want it complicated. If it's easy, stay away from it.
Be aware that, if you set up all these multi-factor authentications, make sure you are doing something before you start approving things on your phone.
Jon Luskin: Sometimes I'll be managing multiple accounts, so maybe I'm managing my account and then my wife's account, or maybe I'll be managing my account and then a family member where I'm their attorney-in-fact, and I only have one phone number. And some platforms won't let you use the same phone number twice.
What is best practice in that situation? If I've got some mandatory “2FA” requirements set up, but I only have one phone number. And a platform won't let me use that same phone number across accounts.
Stephen Ryder: A lot of these accounts should have authenticator applications. I have a couple on my phone. I use an application called Microsoft Authenticator. I have one called Google Authenticator. A lot of these websites should have the ability to authenticate to these authenticator type apps rather than just phone numbers.
Getting a text by phone is becoming less and less secure. And these authenticator apps are the way to go. Most of my websites are all using authenticators like Amazon, GoDaddy, all these different websites I'm going to use this authenticator app to authenticate. Getting away from phones, I think texting by phone is going to start to disappear in the future.
Jon Luskin: This one is from username “hudson” from the Bogleheads® Forums who writes: “Here is my current situation. I have Windows 10, Windows Defender, Malwarebytes, Chrome always up to date. I have a password manager for my iPhone. I have it set to Face ID. For Vanguard, I use YubiKeys. Withdrawals are only linked to specific bank accounts. And for all financial institutions, I have notification for transactions. And my credit is frozen. How can I improve?”
And then perhaps before answering this, Stephen, you can tell us what YubiKeys is for folks who don't know what that is.
Stephen Ryder: Jon, maybe he should be a speaker. That's impressive.
First of all, the YubiKey. A YubiKey is a little USB-looking token that you plug it to your computer to authenticate you when you're logging in. I use one every day when I log into my computer network.
I think the biggest thing for me, additional things, I'm assuming all these things are happening based on what he appears to be doing is making sure the computer is always patched, always up to date, making sure all the software programs on the computer are always patched and up to date. Make sure the drivers on the computer are always patched and up to date. Make sure the phone is always patched and up to date. A lot of these security holes, sometimes people neglect to do them because it's in the middle of the day. They don't worry about it. They don't think about it. A lot of these security holes are because people aren't patching their computers.
Similar to what I said earlier. But again, being careful with any social media type accounts, posting whatever they're doing online. But, man, that sounds pretty impressive to me, I'll tell you that.
Jon Luskin: So, it sounds like “hudson” has some great best practices for keeping his money safe online.
One thing not included in his various ways to manage his risk is some protection against cognitive impairment. So that's why having a trusted party to help manage your finances in that worst case can also help manage your risk.
We talk about that on our previous episode of Bogleheads® Live. Folks can check out that podcast episode. I'll link to that in the show notes. That is episode, “How to talk to your parents about their finances.” Cameron Huddleston is the guest for that episode. That is Episode #34.
I'm going to make Justin a speaker so we can ask his question on cybersecurity.
Justin: Does VPN help with security or can VPN companies steal your information by using it?
Jon Luskin: Great question. Let’s do some VPN 101, so maybe Stephen, you can tell us briefly what a VPN is and what we should think about using it.
Stephen Ryder: VPN the acronym means Virtual Private Network. It's traditionally a piece of software that gets installed on your device, i.e., computer, iPhone, iPad. Nowadays, it's really used for when you hop on WIFI that is not known to you. Whether it's the hotel, coffee shop, wherever it is, or a friend's house, that you really don't know the integrity of the WIFI and whether it's been compromised. Like if you go to Starbucks, it says Starbucks WIFI or whatever. So, the VPN, what it does is protect the communications, and so what the VPN will do is secure that or encrypt all that traffic.
VPNs absolutely do work. They allow you to work obviously from wherever you are. Typically, even with VPN be careful about using public WIFI, whether using a coffee shop or on an airplane, whether they're in a hotel conference room. While VPN still is helpful to secure that transmission, for working remotely I'm always careful.
And so, for me, when I'm traveling, what I do is I always consider everything I'm doing as I've got a vulnerability somewhere. If I'm not in my home office or I'm at my company. For example, I'm always careful what I'm doing on a plane. For me, if I'm in a public area, I'm just responding to email. That's all I'm doing. I'm not doing any other secure, risky behavior for fear of anyone looking over my shoulder.
Jon Luskin: Let me ask you a question. I’ll have the VPN on, and then I'll go to a financial website such as ally.com - online high yield savings - and then Ally will block me accessing their site when I have that VPN on.
What are your thoughts there? We're supposed to be using a VPN to help manage our risk online, but when we want to access financial institutions, they won't let us get in there if we have that VPN turned on.
Stephen Ryder: Keep in mind at some level, an SSL - SSL means Secure Socket Layer - it's how you connect to a website using “https.” All websites pretty much use “https” nowadays, a form of a VPN. So, when you connect to a secure website, it does identify you and does connect you in.
I use a VPN when I am using a public WIFI. Otherwise, I don't find the VPN overly necessary. If you're working out of your house. You've got a secure network. You’ve got a protected environment. You’ve got secure WIFI, password protected. I don't use a VPN. But what I'm traveling about, I do.
Jon Luskin: Stephen, do I need to upgrade to Windows 11?
Stephen Ryder: Windows 11 has security features as Microsoft continues to add more security features to it. So yeah, no reason not to upgrade to Windows 11.
Jon Luskin: This question is from username “Lastrun” who writes: “I use an up-to-date router that I replace every three to four years with a separate guest login. Is that good enough for my home WIFI?”
Stephen Ryder: I love that. First of all, it is very rare somebody does that at home. We obviously for businesses always, always recommend that.
Jon Luskin: We've got another question from “jocdoc”, this user from the Bogleheads® Forums writes: “Do you recommend a separate Chromebook to access your financial accounts online?”
This is actually a suggestion by consumer expert Clark Howard, who's actually going to be the keynote speaker at the 2023 Bogleheads® Conference. Go to boglecenter.net/2023conference to register.
Stephen, what do you think about using a separate Chromebook to access and manage your accounts online?
Stephen Ryder: It's not a bad idea. Maybe his intent was saying you have a shared computer that other people might be using. You have a common PC that your kids are gaming, that your wife's doing something, that you're doing something. It makes sense.
Having one computer that only you use is really where I would settle on. Not having a computer that other people are using. So, my computer is my computer, and my wife is not using it. My daughter's not using it. Nobody's using my computer. So, I can control and make sure no software, nothing else is installed on my computer.
Jon Luskin: This one is from username “abuss368” – Tony - who writes: “Account statements. How safe is it to download and save them to your devices such as Apple? Better yet, is that something that you even need to do?”
Stephen Ryder: I would not do that. So first of all, your devices, your Apple, your computers should be encrypted. So, that's probably a good thing. But even though a computer's encrypted, when it's booted up if you happen to hit a link or call the 1-800 number and you allow someone on your computer, they can get access to that information.
Jon Luskin: Stephen, any final thoughts before I let you go?
Stephen Ryder: Be aware and be cautious about anything you're doing. I'm sure we all get spam email – and text now – spam phone calls, anything that has a sense of urgency to it, you just have to ignore.
And, we like to help people. We like to respond to people. We’re this instant satisfaction, instant response society, where we have these phones at our fingertips. We react. We respond. And we jump on something oftentimes the moment we get it.
Think about what they need. Think about is it legit, is it not legit? Those are the things that are really, really important to be careful. So careful what you're doing, and realize security is not convenient and any extra steps of security you can do, take those extra steps.
Jon Luskin: That's all the time we have for today. Thank you to Stephen for joining us today, and thank you for everyone who joined us for today's Bogleheads® Live.
Registration is now open for the 2023 Bogleheads® Conference. Our 2023 conference will be on October 13th through the 15th in Rockville, Maryland. Register at boglecenter.net/2023conference.
For the next Bogleheads® Live, Pete Adeney, AKA Mr. Money Mustache will be our guest. That'll be on Tuesday, May 2nd, 10:00 AM Pacific, 1:00 PM Eastern. So, if you are listening to the podcast episode of this show, that means you're probably listening to it shortly after Monday, April 24th when the podcast episode will come out.
That means the second Tuesday after that, eight days after that, that's when we'll have Mr. Money Mustache as our guest. So, you can join our live conversation on Twitter in just a week and change. That's twitter.com/bogleheads. You can submit your questions for Mr. Money Mustache on the Bogleheads® Forums at bogleheads.org and on Bogleheads® Reddit.
Until then, you can access a wealth of information for do-it-yourself investors at the John C. Bogle Center for Financial Literacy at boglecenter.net and bogleheads.org, the Bogleheads® Wiki, Bogleheads® Twitter, the Bogleheads® YouTube channel, the Bogleheads® on Investing Podcast with host Rick Ferri, Bogleheads® Facebook, Bogleheads® Reddit, The John C. Bogle Center for Financial Literacy on LinkedIn, and local and virtual chapters.
For our podcast listeners, if you could take a moment to subscribe and to rate the podcast on Apple, Spotify, or wherever you get your podcast. And also, be sure to leave a review. Thanks to everyone who rated it. Writing a review would also be amazing. We've had 31 ratings so far, but only five reviews, so please take a moment to do both. That'll help more folks find this resource for do-it-yourself investors.
And now some thank yous. Thank you to Barry Barnitz for his help with the show. Thanks to Nathan Garza and Kevin for editing the show. And a final ‘thank you’ to Jeremy Zuke for transcribing podcast episodes. I could not do it without everyone's help.
Finally, I'd love your feedback. If you have a comment or guest suggestion, tag your host @JonLuskin on Twitter. Thanks again, everyone. Look forward to seeing you all again next time. Until then, have a great one.